Slashdot Mirror

← Back to Stories (view on slashdot.org)

DJI Threatens Researcher Who Reported Exposed Cert Key, Credentials, and Customer Data (arstechnica.com)

Posted by EditorDavid on from the bug-bounty-bugs dept.

An anonymous reader quotes Ars Technica: DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback -- including a threat of charges under the Computer Fraud and Abuse Act. DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
The company says they're now investigating "unauthorized access of one of DJI's servers containing personal information," adding that "the hacker in question" refused to agree to their terms and shared "confidential communications with DJI employees."

15 of 81 comments (clear)

  1. The Chinese won't pay, huh? by Opportunist · · Score: 4, Interesting

    I'm pretty sure someone from another country will pay, don't worry.

    Dear companies, in general: Somehow you'll pay for us finding your blunders. Either you pay us, or you pay the damage the one does we sell it to.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Great drones, but invasive... by FrankSchwab · · Score: 5, Informative

    After doing some investigation, I understand why the US Military decided not to allow DJI use any more.

    DJI makes some really nice drones (I have a Phantom III Pro). No argument there.

    However, their app is a security nightmare. Installing it leaves persistent services running on your phone forever, and those persistent services maintain open network connections to servers in China. With it's extensive list of required permissions, you basically give it complete and total control of your phone.

    --
    And the worms ate into his brain.
    1. Re: Great drones, but invasive... by ShanghaiBill · · Score: 4, Interesting

      I control my DJI drone with my burner phone, not my primary device. There is nothing on it for them to steal.

    2. Re: Great drones, but invasive... by NicknameUnavailable · · Score: 5, Insightful

      I control my DJI drone with my burner phone, not my primary device. There is nothing on it for them to steal.

      Except anything said in conversation around the device, images it points at, photos your drone takes, GIS information based on the drone flying around mapping your neighborhood, etc. If WW3 rolls around you're basically painting your house for a potential invasion site, since they already have detailed maps of your area.

  3. in a just world by DCFusor · · Score: 2

    They'd be boycotted starting now, for threatening someone trying to help them improve their product. If we know the whole story, that is. Sometimes when you just hear one side...

    --
    Why guess when you can know? Measure!
    1. Re:in a just world by Aighearach · · Score: 2

      They might be, especially if people start to realize that there in a company from France called Parrot making similar drones to DJI but a little cheaper.

  4. Why is DJI doing this? by jonwil · · Score: 2

    Why was DJI unwilling to offer the guy a deal that said "if you agree to destroy all our data (credentials, keys, customer data etc), not use it for any purpose and not talk publicly about it, we will agree not to take you to court over it". Then DJI could have replaced the credentials that got put into the GitHub code (certificate private keys, AWS credentials, whatever else) with things that aren't public, closed any other holes that resulted from what the guy found and moved on with the public at large not finding out what happened.

    1. Re:Why is DJI doing this? by Anonymous Coward · · Score: 2, Interesting

      Ego. And stupidity. And some members of the company not on the same page with other members about how to handle their bug bounty program.

      Of course, it could also be that Finisterre's methods exceed the parameters established in the program. He could be the type that thinks the ends justify the means, and that the rules don't apply to him. "Since I found something important you should be grateful and offer me indemnity, even though I broke the law and violated the TOS of your bug bounty program."

      I don't know enough facts to judge at this point.

    2. Re:Why is DJI doing this? by stephanruby · · Score: 5, Insightful

      Why was DJI unwilling to offer the guy a deal that said "if you agree to destroy all our data (credentials, keys, customer data etc), not use it for any purpose and not talk publicly about it, we will agree not to take you to court over it".

      A better agreement would have been:

      "if you agree to destroy all our data (credentials, keys, customer data etc), not use it for any purpose and not talk publicly about it for a period of one year ending on Nov 1st, 2018, we will agree to credit you publicly and pay you the bounty."

      Threatening someone you already gave permission to, and someone who has been acting in good faith all this time, is really a bad idea. It turns what is supposed to be a collaborative relationship into a confrontational one.

      Furthermore, a bug bounty program can't expect to silence a white hacker from a foreign country forever. Hackers are very ego-driven. Also, they make money and recruit new clients from recounting their exploit stories to others.

    3. Re:Why is DJI doing this? by Anonymous Coward · · Score: 2, Informative

      Ego. And stupidity. And some members of the company not on the same page with other members

      Yes. This is a big problem with many companies.

      even though I broke the law and violated the TOS of your bug bounty program."

      Their bug bounty program specifically said they were looking for: "potential threats related to DJI's servers, apps or hardware."

      He found EXACTLY what they said they were looking for, and told them about it.

      And, as he pointed out to them, in his response to their threat to prosecute him under the Computer Fraud and Abuse Act, "you can't find a security problem without first accessing the system".

      Just another crooked company run by scumbags.

    4. Re:Why is DJI doing this? by Aighearach · · Score: 3, Insightful

      THat's what they tried to do! It is lame and slimy.

      If you have a bug bounty, people who are finding security bugs are security researchers, if they can't talk about it how do they build their career?!

      And when you give somebody permission to check your security for bugs, offering not to take them to court is actually a threat to take them to court, just phrased backwards, because you don't have any right to accuse them of crimes when you agreed for them to check your security.

      He left $30k on the table over those lame, slimy, offered terms. Bug bounty is bug bounty! If anything he should sue them for calling him a hacker and claiming he's some kind of black hat!

      The offer goes like this: Thanks for finding our bug, here is your money, thanks again, will you sign a document that says this is everything you found so far? There is no threats or demands. Nor is there even power to be making demands. Bug bounty is a service that helps the company!

  5. Many commercial drones use open source software by raymorris · · Score: 3, Informative

    A significant fraction of available quadcopters use PX4 or it's relatives, DroneCode and Ardupilot. You can buy one ready to fly, or you can do as many PX4 users do and select your own motors, frame, radio, and controller to make exactly the quad you want.

  6. DJI are morons of the first degree. by Anonymous Coward · · Score: 2, Informative

    the hacker in question" refused to agree to their terms

    Are they fucking serious ??
    Look, someone found a serious fuck up by DJI and tried to do the right thing and notify them about it. But, oh-no.. it has to be on DJI's terms.
    How stupid are DJI here, they're being done a big favor here, they're not in a position to call the shots and piss on the guy trying to help them with their own fuck up.

    What does that teach us? If anyone finds a serious problem with DJI again, they'll remember these ungrateful cunts and say "fuck it, I hope a black hat finds it too" , and then grin like a Cheshire Cat when they do.

    And you know what, DJI deserve it.

  7. Finisterre Reported GPL Violations. Revenge? by Bruce+Perens · · Score: 5, Informative

    Kevin Finisterre had previously reported and documented GPL violations to me, which I enforced and got DJI to comply by distributing source for several programs and libraries. I did not charge DJI any money or ask for any proprietary software. One wonders if they have gotten annoyed with Kevin, though.

    --
    Bruce Perens.
  8. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion